# AWX Web ConfigMap.
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: '{{ meta.name }}-{{ deployment_type }}-configmap'
  namespace: '{{ meta.namespace }}'
  labels:
    app.kubernetes.io/name: '{{ meta.name }}'
    app.kubernetes.io/part-of: '{{ meta.name }}'
    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
    app.kubernetes.io/component: '{{ deployment_type }}'
    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
data:
  environment: |
    AWX_SKIP_MIGRATIONS=true

  settings: |
    import os
    import socket
    
    def get_secret():
        if os.path.exists("/etc/tower/SECRET_KEY"):
            return open('/etc/tower/SECRET_KEY', 'rb').read().strip()
    
    ADMINS = ()
    STATIC_ROOT = '/var/lib/awx/public/static'
    PROJECTS_ROOT = '/var/lib/awx/projects'
    JOBOUTPUT_ROOT = '/var/lib/awx/job_status'

    IS_K8S = True

    SECRET_KEY = get_secret()
    
    ALLOWED_HOSTS = ['*']
    
    INTERNAL_API_URL = 'http://127.0.0.1:8052'

    # Sets Ansible Collection path
    AWX_ANSIBLE_COLLECTIONS_PATHS = '/var/lib/awx/vendor/awx_ansible_collections'

    # Container environments don't like chroots
    AWX_PROOT_ENABLED = False
    
    # Automatically deprovision pods that go offline
    AWX_AUTO_DEPROVISION_INSTANCES = True
    
    CLUSTER_HOST_ID = socket.gethostname()
    SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
    
    CSRF_COOKIE_SECURE = False
    SESSION_COOKIE_SECURE = False
    
    SERVER_EMAIL = 'root@localhost'
    DEFAULT_FROM_EMAIL = 'webmaster@localhost'
    EMAIL_SUBJECT_PREFIX = '[AWX] '
    
    EMAIL_HOST = 'localhost'
    EMAIL_PORT = 25
    EMAIL_HOST_USER = ''
    EMAIL_HOST_PASSWORD = ''
    EMAIL_USE_TLS = False
    
    LOGGING['handlers']['console'] = {
        '()': 'logging.StreamHandler',
        'level': 'DEBUG',
        'formatter': 'simple',
        'filters': ['guid'],
    }
    
    LOGGING['loggers']['django.request']['handlers'] = ['console']
    LOGGING['loggers']['rest_framework.request']['handlers'] = ['console']
    LOGGING['loggers']['awx']['handlers'] = ['console', 'external_logger']
    LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console']
    LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console', 'external_logger']
    LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console', 'external_logger']
    LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
    LOGGING['loggers']['social']['handlers'] = ['console']
    LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console']
    LOGGING['loggers']['rbac_migrations']['handlers'] = ['console']
    LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'}

    USE_X_FORWARDED_PORT = True
    BROADCAST_WEBSOCKET_PORT = 8052
    BROADCAST_WEBSOCKET_PROTOCOL = 'http'

{% for item in extra_settings | default([]) %}
    {{ item.setting }} = {{ item.value }}
{% endfor %}

  nginx_conf: |
    worker_processes  1;
    pid        /tmp/nginx.pid;

    events {
        worker_connections  1024;
    }

    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
        server_tokens off;
    
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
    
        access_log /dev/stdout main;
    
        map $http_upgrade $connection_upgrade {
            default upgrade;
            ''      close;
        }
    
        sendfile        on;
        #tcp_nopush     on;
        #gzip  on;
    
        upstream uwsgi {
            server 127.0.0.1:8050;
        }
    
        upstream daphne {
            server 127.0.0.1:8051;
        }
    

        {% if route_tls_termination_mechanism | lower == 'passthrough' %}
        server {
            listen 8052 default_server;
            server_name _;

            # Redirect all HTTP links to the matching HTTPS page
            return 301 https://$host$request_uri;
        }
        {% endif %}

        server {
        {% if route_tls_termination_mechanism | lower == 'passthrough' %}
            listen 8053 ssl;

            ssl_certificate /etc/nginx/pki/web.crt;
            ssl_certificate_key /etc/nginx/pki/web.key;
            ssl_session_cache shared:SSL:50m;
            ssl_session_timeout 1d;
            ssl_session_tickets off;
            ssl_ciphers PROFILE=SYSTEM;
            ssl_prefer_server_ciphers on;
        {% else %}
            listen 8052 default_server;
        {% endif %}

            # If you have a domain name, this is where to add it
            server_name _;
            keepalive_timeout 65;
    
            # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
            add_header Strict-Transport-Security max-age=15768000;
    
            # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
            add_header X-Frame-Options "DENY";
    
            location /nginx_status {
                stub_status on;
                access_log off;
                allow 127.0.0.1;
                deny all;
            }
    
            location /static/ {
                alias /var/lib/awx/public/static/;
            }
    
            location /favicon.ico {
                alias /var/lib/awx/public/static/media/favicon.ico;
            }
    
            location /websocket {
                # Pass request to the upstream alias
                proxy_pass http://daphne;
                # Require http version 1.1 to allow for upgrade requests
                proxy_http_version 1.1;
                # We want proxy_buffering off for proxying to websockets.
                proxy_buffering off;
                # http://en.wikipedia.org/wiki/X-Forwarded-For
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                # enable this if you use HTTPS:
                proxy_set_header X-Forwarded-Proto https;
                # pass the Host: header from the client for the sake of redirects
                proxy_set_header Host $http_host;
                # We've set the Host header, so we don't need Nginx to muddle
                # about with redirects
                proxy_redirect off;
                # Depending on the request value, set the Upgrade and
                # connection headers
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
            }
    
            location / {
                # Add trailing / if missing
                rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
                uwsgi_read_timeout 120s;
                uwsgi_pass uwsgi;
                include /etc/nginx/uwsgi_params;
                {%- if extra_nginx_include is defined %}
                include {{ extra_nginx_include }};
                {%- endif %}
                proxy_set_header X-Forwarded-Port 443;
                uwsgi_param HTTP_X_FORWARDED_PORT 443;

                add_header Strict-Transport-Security max-age=15768000;
                # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
                add_header X-Frame-Options "DENY";
                add_header Cache-Control "no-cache, no-store, must-revalidate";
                add_header Expires "0";
                add_header Pragma "no-cache";
            }
        }
    }
  redis_conf: |
    unixsocket /var/run/redis/redis.sock
    unixsocketperm 777
    port 0
    bind 127.0.0.1
  receptor_conf: |
    ---
    - log-level: debug

    - control-service:
        service: control
        filename: /var/run/receptor/receptor.sock
        permissions: 0660

    - local-only:

    - work-command:
        worktype: local
        command: ansible-runner
        params: worker
        allowruntimeparams: true

    - work-kubernetes:
        worktype: kubernetes-runtime-auth
        authmethod: runtime
        allowruntimeauth: true
        allowruntimepod: true
        allowruntimeparams: true

    - work-kubernetes:
        worktype: kubernetes-incluster-auth
        authmethod: incluster
        allowruntimeauth: true
        allowruntimepod: true
        allowruntimeparams: true
